six. Deploy the kubectl client tool
1. Download
[root@kubenode1 ~]# cd /usr/local/src/ [root@kubenode1 src]# wget https://storage.googleapis.com/kubernetes-release/release/v1.9.2/kubernetes-server-linux-amd64.tar.gz [root@kubenode1 src]# tar -zxvf kubernetes-server-linux-amd64.tar.gz # All executable files such as kubectl are in the server/bin directory under the decompression directory, including kube-apiserver, kube-controller-manager, kube-scheduler, kube-proxy and kubelet, etc. [root@kubenode1 src] # mv /usr/ local/src/kubernetes/server/bin/ /usr/local/src/kubernetes/ [root@kubenode1 src] # rm -rf /usr/local/src/kubernetes/server/ [root@kubenode1 src] # mv /usr /local/src/kubernetes/ /usr/local/
2. Create kubectl TLS certificate and private key
1) Create a kubectl certificate signing request
[root@kubenode1 ~]# cd /etc/kubernetes/admin/ [root@kubenode1 admin]# touch admin-csr.json # kube-apiserver uses RBAC to authorize client (such as kubelet, kube-proxy, etc.) requests; # kube-apiserver predefines a part of RBAC, including Role/ RoleBinding, ClusterRole/ ClusterRoleBinding; # For example, ClusterRoleBinding binds Group system:masters to ClusterRole cluster-admin, and ClusterRole cluster-admin has all permissions to access kube-apiserver, so "CN": "admin" user also has all permissions to access kube-apiserver, Can be used as a cluster super administrator; # O specifies that the certificate's Group is system:masters. When kubelet uses this certificate to access kube-apiserver, the certificate is signed by the CA, so the certificate is passed, and because the certificate user group is a pre-authorized system :masters, so are granted access to all APIs; # hosts property value is an empty list, i.e. no ip or hostname restrictions [root@kubenode1 admin] # vim admin-csr.json { " CN " : " admin " , " hosts " : [], " key " : { " algo " :"rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChengDu", "L": "ChengDu", "O": "system:masters", "OU": "cloudteam" } ] }
2) Generate kubectl certificate and private key
[root@kubenode1 admin]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/etc/kubernetes/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin
# 分发admin.pem,admin-key.pem [root@kubenode1 admin]# scp admin.pem admin-key.pem [email protected]:/etc/kubernetes/admin/ [root@kubenode1 admin]# scp admin.pem admin-key.pem [email protected]:/etc/kubernetes/admin/
3. Create the kubectl kubeconfig file
When the kubectl client tool communicates with TLS, if the kubeconfig file is not configured, it is cumbersome to specify the address of the api-server and the client's certificate when accessing the api-server.
#Configure cluster parameters; # --server: Specify api-server, use vip after ha; # Customize the cluster name, which must be consistent after setting; # --kubeconfig : Specify the kubeconfig file path and file name; if not set , generated by default in ~/.kube/config file [root@kubenode1 admin] # kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ ca.pem \ --embed-certs= true \ --server=https://172.30.200.10:6443 \ --kubeconfig= admin.conf #Configure the client authentication parameters; #The authentication user is "admin" in the previous signature; #Specify the corresponding public key certificate/private key, etc. [root@kubenode1 admin] # kubectl config set-credentials admin \ --client-certificate= /etc/kubernetes/admin/admin.pem \ --embed-certs= true \ --client-key=/etc / kubernetes/admin/admin- key.pem \ --kubeconfig= admin.conf #Configure context parameters [root@kubenode1 admin] # kubectl config set-context admin@kubernetes \ --cluster= kubernetes \ --user= admin \ --kubeconfig= admin.conf #Configure default context [root@kubenode1 admin] # kubectl config use-context admin@kubernetes --kubeconfig=admin.conf
#Distribute the kubeconfig file to all client nodes running kubectl; # kubectl obtains the access kube-apiserver address, certificate, username and other information from the ~/.kube/config configuration file by default. When distributing, please pay attention to modify the path/file name [ root@kubenode1 admin] # cp /etc/kubernetes/admin/admin.conf ~/.kube/config